Industry Committee on Nov. 28th, 2023

Thank you very much for the opportunity to appear.

I am senior counsel at McCarthy Tétrault, with a practice focused on technology, intellectual property and privacy. I'm the author of several books in the field, including an eight-volume treatise on computer, Internet and electronic commerce law. I'm here in my personal capacity.

Although my remarks will focus on AIDA, I've submitted to the clerk articles published related to CPPA and AIDA, which contain much-needed improvements. You can see that my submission is substantial.

My remarks are going to focus on AIDA, as I've mentioned. In my view, AIDA is fundamentally flawed.

Any law that is intended to regulate an emerging transformative technology like AI should meet certain basic criteria. It should protect the public from significant risks and harms and be effective in promoting and not hindering innovation. It must also be intelligible—that is, members of Parliament and the public must be able to know what is being regulated and how the law will apply. It must respect parliamentary sovereignty and the constitutional division of powers and employ an efficient and accountable regulatory framework. AIDA either fails or its impact is unknowable in every respect.

AIDA has no definition of “high-impact system”, and even with the minister's letter that was delivered, has no criteria and no guiding principles for how AI systems will be regulated. We don't know what the public will be protected from, how the regulations will affect innovation or what the administrative monetary penalties will be. We know that fines for violating the regulations can reach $10 million or 3% of gross revenues, but we have no idea what the regulations will require that will trigger the mammoth fines against both small and large businesses that operate in this country.

In short, none of the key criteria to assess AIDA are knowable. In its current form, AIDA is unintelligible.

AIDA is, in my view, an affront to parliamentary sovereignty. AIDA sets a dangerous precedent. What will be next? Fiat by regulation for quantum computing, blockchain, the climate crisis or other threats? We have no idea.

AIDA also invokes a centralized regulatory framework that leaves all regulation to ISED. This departs from the sensible, decentralized, hub and spoke pro-innovation approach being taken so far in the United Kingdom and the United States, which leverages existing agencies and their expertise and avoids overlapping regulation. It recognizes that AI systems of all types will pervade all aspects of society and that one regulatory authority alone is ill-suited to regulate them. Rather, what is needed is a regulatory framework for a centralized body that sets standards and policies, coordinates regulation within Canada and internationally, and has a mechanism for addressing areas where there are gaps, if there are any.

AIDA also paves the way for a bloated and unaccountable bureaucracy within ISED. ISED will make and enforce the regulations, and they will be administered and enforced by the AI and data commissioner, who is not accountable to Parliament like the Privacy Commissioner. The commissioner is also not subject to any express judicial oversight, even though the commissioner has the power to shut down businesses and to levy substantial fines.

Last, a major problem with AIDA is that its lack of intelligibility and guiding principles make it impossible to evaluate its impact on innovation. We need to recognize that Canada is a middle country. It is risky for Canada to be out in front of our major trading partners with a law that may not be interoperable with those of our partners and may inadvertently and unnecessarily create barriers to trade. Our AI entrepreneurs are heavily dependent on being able to access and exploit AI models like ChatGPT from the United States. We should not risk creating obstacles that inhibit adoption, the realizing of the maximum potential of AI or the continued growth of AI and the ecosystem and the high-paying jobs it will create.

AI is going to be as transformative and as important as the steam engine, electricity and the microchip in prior generations. Canadian organizations in all sectors need open access to AI systems to support adoption and innovation and to be competitive in world markets. If we fail to get this right, there could be significant long-term detrimental consequences for this country.

To go back to my first point, there is nothing in AIDA to provide comfort that these risks will be avoided. While my opening remarks, Mr. Chairman, relate to AIDA, I also have concerns about the CPPA. I would be glad to answer any questions you may have about AIDA or the CPPA.

Thank you again for the opportunity to appear.

Thank you so much, Mr. Chair, Madam Clerk and committee members, for this opportunity to speak with you today about centring human rights and substantive equality in Canadian AI legislation.

I am a law professor at UBC. I have been researching and writing in the areas of—

Thank you.

I have been researching and writing in the areas of tort law, privacy law and the regulation of automated technologies for over a decade, with a particular focus on rights and substantive equality, including recent publications on safety in AI and robotics governance in Canada and work with the B.C. Law Institute's civil liability and AI project.

I'm here today representing the Women's Legal Education and Action Fund. LEAF is a national charitable, non-profit organization that works toward ensuring that the law guarantees substantive equality for all women, girls, trans and non-binary people. I'm a member of LEAF's technology-facilitated violence advisory committee and will speak to LEAF's written submissions, which I co-authored with LEAF senior staff lawyer Rosel Kim. Our submission and my comments today focus on the proposed AI and data act.

You've heard this before, but if we're going to regulate AI in Canada, we need to get it right. LEAF agrees with previous submissions emphasizing that AI legislation must be given the special attention it deserves and should not be rushed through with privacy reform. To the extent that this committee can do so, we urge that AIDA be separated from this bill and wholly revisited. We also urge that any new law be built from a foundation of human rights and must centre substantive equality.

If the AI and data act is to proceed, it will require amendments. We examined this law with an acute awareness that many of the harms already arising from the introduction of AI into social contexts are inequitably experienced by people who are already marginalized within society, including on the grounds of gender, race and class. If the law is not cognizant of the inequitable distribution of harm and profit from AI, then despite its written neutrality, it will offer inequitable protection. The companion document to AIDA suggests that the drafters are cognizant of this.

In our written submission, we made five recommendations, accompanied by textual amendments, to allow this law to better recognize at least some of the inequalities that will be exacerbated by the growing use of AI.

The act is structured to encourage the identification and mitigation of foreseeable harm. It does not require perfection and, in fact, is likely to be limited by the extent to which harms are not considered foreseeable to the developers and operators of AI systems.

In this vein, and most urgently, the definitions of “biased output” and “harm” need to be expanded to capture more of the many ways in which AI systems can negatively impact people, for instance, through proxies for protected grounds and through harm experienced at the group or collective level.

As we note in our submission, the introduction of one AI system can cause harm and discriminatory bias in a complex and multi-faceted manner. Take the example we cite of frontline care workers at an eating disorder clinic who had voted to unionize and were then replaced by an AI chatbot system. Through an equity lens, we can see how this would cause not just personal economic harm to those who lost their jobs but also collective harm to those workers and others considering collective action.

Additionally, the system threatened harm to care-seeking clients, who were left to access important medical services through an impersonal and ill-equipped AI system. When we consider equity, we should emphasize not only the vulnerable position of care workers and patients, but also the gendered, racialized and class dimensions of frontline work and experience with eating disorders. The act as currently framed does not seem to prompt a fulsome understanding nor a mitigation of the different complex harms engaged here.

Furthermore, as you've already heard, the keystone concept in this legislation, “high-impact system”, is not defined. Creating only one threshold for the application of the act and setting it at a high bar undermines any regulatory flexibility that might be intended by this. At this stage in the drafting, absent a rethinking of the law, we would recommend removing this threshold concept and allowing the regulations to develop in various ways to apply to different systems.

Finally, a key challenge with a risk mitigation approach, such as the one represented in this act, is that many of the harms of AI that have already materialized were unforeseeable to the developers and operators of the systems, including in the initial decision to build a given tool. For this reason, our submission also recommends a requirement for privacy and equity audits that are transparent to the public and that bring the attention of the persons responsible to as extensive as possible prevention and mitigation.

Finally, I would emphasize that concerns about the resources required to mitigate harm should not dissuade this committee from ensuring that the act will mitigate as much harm and discrimination as possible. We should not look to expand an AI industry that causes inequitable harm. Among many other reasons, we need a human rights approach to regulating AI for any chance of an actually flourishing industry in this country.

Industries will also suffer if workers in small enterprises are not protected against harm and discrimination by AI.

Public resistance to a new technology is often based on an understanding that a select few stand to benefit, while many stand to lose out. To the extent possible, this bill should try to mitigate some of that inequity.

Thank you for your time, and I look forward to your questions and the conversation.

Thank you very much for the question. It's a very good one.

One of the concerns I have about the CPPA, in particular, is that it creates these ambiguous new standards and requirements with open-ended tests, such as what would be appropriate or what a reasonable person would think. This is very hard for any organization that seriously wants to comply to know how to comply. “Appropriate Purposes” is a good example.

As for “minor”, I think it would be useful to have a common definition that applies throughout.

In terms of “sensitive information”, I think there are already sufficient cases for what “sensitive” is. I think “sensitive” is contextual, depending on the circumstances. There is a lot of guidance from the Privacy Commissioner on that. I don't think it would hurt to have criteria, but I think the courts are well suited to figuring that one out.

Thank you for that follow-up question.

I have reviewed the amendments proposed by the minister, which make it clear that the joint purposes of the act are the protection of the fundamental right of privacy and the legitimate interests of business. I think that's an appropriate way to do it. One has to understand that every fundamental right, including the fundamental rights in the charter, is subject to the Oakes test, which is a balancing exercise. The purpose clause makes it clear that we have to balance that fundamental right and the interests of business. This gives the courts the appropriate tools to solve the problem.

I'll also point out that the “Appropriate Purposes” section is an override section. If there is something an organization does that, frankly, is offside, this trumps everything. When you put together the purposes of the act and “Appropriate Purposes”, the public is adequately protected.

I won't get into the fact that, also, the Privacy Commissioner has huge discretionary powers as to how to enforce it, with very limited rights to appeal. If the Privacy Commissioner believes a fundamental right has been violated and that it's an inappropriate purpose, the commissioner has all the powers required to do the proper calibration to protect the public.

I heard that criticism about the GDPR being burdensome on small businesses. I think organizations like the EU Data Protection Supervisor and the Information Commissioner's Office of the U.K. have really focused on small businesses and innovators to help them with their compliance.

I suppose there isn't such a strict category line that we can draw between a small business and a medium-sized business in terms of the harms that they could create. I'll just remind you that Cambridge Analytica was a small business.

Therefore, I think what is more appropriately in context is the sensitivity and the amount of data that's being processed, whether it's two people working in their garage or a small political consultancy. There are many larger companies that aren't processing sensitive personal data. I think the point is to be able to delineate the potential harms and risks that a business is creating for Canadians and to make sure that those risks are properly mitigated.

Yes, I believe so. Legitimate interest is one of six legal bases that a company can use to process personal information—the others being required by contract, informed consent, binding corporate rules and public tasks. There are many legitimate bases for processing personal information. Legitimate interest is not meant to be an exception. It's one type of legal basis for collecting and processing data.

I think what has happened in Bill C-27—

Is that better? Can you hear me now?